WannaCry shows we need to understand why organizations don't patch

Posted by   Martijn Grooten on   May 17, 2017

For the past few days, the world of Infosec on Twitter has tried to find as many ways as possible of saying "we told you so".

To be fair, it's true – we did tell you so: for years we have warned of the dangers of not patching, of not keeping backups, and of running services one doesn't really need. Infosec does indeed have a pretty good track record of predicting the most serious cyber attacks. Unfortunately, it achieves this by constantly predicting doom, so that eventually it ends up being right.

Remember, for example, the 2015 vulnerability found in the Stagefright Android library? "In the worst case scenario, the exploit could be turned into a worm of a size not seen for a very long time," I wrote in a blog post, echoing what everyone else was saying around that time. Yet, despite the still deplorable state of Android patching, we have yet to see such a worm. In fact, I am not aware of any use of the Stagefright vulnerability in the wild. Stagefright isn't an exception: most vulnerabilities, even many of those that sound really bad, are rarely, if ever, exploited in the wild.


So maybe the question we should be asking about WannaCry is not "why do so many organisations allow unpatched machines to exist on their networks?" but "why doesn't patching work reasonably well most of the time?".

Indeed, not patching may well be the most effective short-term strategy. With a few exceptions, such as browser plug-ins and open-source CMSs, exploitation of vulnerabilities right after they have been patched is rare. It may actually be more common to encounter problems arising from patches that go wrong.

Of course, patching is the sensible long-term approach, even if one can spend years running out-of-date systems before something as bad as WannaCry hits. A dedicated security team can help make patching a mostly painless procedure. Such teams aren't cheap though, and this, together with the price of some more advanced security products, may be the real issue: many organizations simply don't have the money we believe they should be spending on security. Repeatedly labouring the point that they should spend the money anyway may not always be the most effective approach.

When I was putting together the programme for VB2017, I wanted to include a number of talks by people who could provide a view from organizations that don't have lots of cash to throw at the security problem; I am pleased that the programme, which went live earlier this month, does indeed include several such talks.


Most relevant to WannaCry is the talk by Jelena Milosevic, who works as a hospital nurse and has a passion for security; she is thus very well qualified to provide a behind-the-scenes view of healthcare security. But I am just as much looking forward to hearing Claus Cramon Houmann, who will talk about his time as a CISO for a small bank, and will share how to achieve 'minimum viable security' on a small budget.

Claus-Houmann-web.jpgClaus Cramon Houmann will talk about his time as a CISO for a small bank.

I am also looking forward to the presentation by Tyrus Kamau (Euclid Consultancy), who will talk about the state of cybersecurity in Kenya. It will be interesting to see how different, or maybe how similar, the threat landscape is in a country that has less money to spend in general, and thus less on security in particular. Maybe tighter budgets have made people more inventive and not necessarily less secure.

Another group that doesn't have a lot of money is 'civil society': NGOs, human rights activists, journalists, and so on. Many of them are volunteers or work for little money; they certainly don't have the funds to get a well-paid CISO or to spend on fancy and probably very effective security tools. Claudio Guarnieri, currently working for Amnesty International, but also one of the people behind the open-source Cuckoo Sandbox, will talk about the threats these people and organizations are facing.

If you're reading this, you probably work in security. It is your job to tell others how to make their systems more secure – and please continue to do so! But don't forget also to listen to those fighting security in the real world, and to make an effort to understand the constraints they operate under.

VB2017 will take 4-6 October in Madrid, Spain. Registration is now open - register before 30 June 2017 to qualify for the early bird rate!




Latest posts:

VBSpam tests to be executed under the AMTSO framework

VB is excited to announce that, starting from the Q3 test, all VBSpam tests of email security products will be executed under the AMTSO framework.

In memoriam: Prof. Ross Anderson

We were very sorry to learn of the passing of Professor Ross Anderson a few days ago.

In memoriam: Dr Alan Solomon

We were very sorry to learn of the passing of industry pioneer Dr Alan Solomon earlier this week.

New paper: Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

In a new paper, researchers Aditya K Sood and Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited in order to gather threat intelligence, and present a model of mobile AppInjects.

New paper: Collector-stealer: a Russian origin credential and information extractor

In a new paper, F5 researchers Aditya K Sood and Rohit Chaturvedi present a 360 analysis of Collector-stealer, a Russian-origin credential and information extractor.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.